Risk Management Tools & Resources


Password Security Best Practices for Healthcare Organizations


Laura M. Cascella, MA, CPHRM

In the current healthcare technology landscape — which includes robotics, telehealth, artificial intelligence, 3D printing, nanomedicine, virtual reality, and more — password security might seem like an archaic topic. Clinicians and other healthcare workers have used passwords for years to log in to various organizational systems, and these actions have likely become second nature. In recent years, however, cyberattacks and data breaches have heightened security concerns for small and large healthcare organizations, emphasizing the need to develop new security strategies and revisit old protocols.

Although the concept and purpose of passwords are not new, these security controls still prove troublesome in healthcare, where “deficient user authentication and excessive user permissions are frequently named as the leading risks to the enterprise.”1 Examples of common password issues include staff creating weak passwords, sharing passwords, writing passwords on paper, posting passwords in visible locations, and forgetting to log out of systems.

Unfortunately, even minor oversights in password security can result in significant consequences. Failure to follow best practices for creating, updating, and recovering passwords might put confidential and protected information at risk, potentially increasing the risk of cyberattacks, data breaches, and HIPAA violations.

Below are lists of “do’s” and “don’ts” for password security, curated from various cybersecurity resources.2 Use these recommendations to review your healthcare organization’s current password protocols and pinpoint potential security issues. Proactively addressing security gaps can help mitigate cybersecurity risks and protect sensitive and proprietary information.

Password Do’s

  • Require a password login for all organizational systems that contain protected health information, confidential files, or sensitive data.
  • Change default passwords that come with systems or programs immediately after installation.
  • Establish security standards that require passwords to be at least eight characters long and use a combination of uppercase and lowercase letters, numbers, and symbols.
  • Consider requiring passphrases rather than passwords for systems or programs that contain highly sensitive information. A passphrase is typically a sentence or a combination of words, numbers, and symbols. Passphrases typically are longer than passwords.
  • Encourage staff members to break common password habits, such as placing capital letters at the beginning of a password and numerals at the end.
  • Use two-factor or multi-factor authentication. This method involves a password and at least one other identifying technique, such as an electronic identification card, key fob, or fingerprint recognition.
  • Consider implementing (a) password monitoring to screen for weak, commonly used, expected, and compromised passwords, or (b) password managers/vaults to help generate complex and unique passwords for various systems that employees can easily access through a strong master password.
  • Configure systems to prevent users from repeating the same password within a specified timeframe in the event that a password needs to be reset.
  • Enable a password reset function on your systems so that staff members can change forgotten passwords once their identities are authenticated.
  • Implement an account lockout function that triggers after a certain number of failed attempts, and set accounts to automatically disable if they are inactive for a predefined amount of time.
  • Enable optional password protection on any devices or systems that offer this option.

Password Don’ts

Changing Passwords

Previous best practices recommended that organizations should require users to change their passwords routinely (e.g., every 30, 60, or 90 days). However, newer guidance suggests that forcing password expiry isn’t necessary and may actually compromise security by perpetuating poor practices (such as staff members writing down passwords to remember them). Microsoft advises that passwords should only be changed if they are known or suspected to be compromised.3

  • Advise staff members to avoid passwords or passphrases that:
    • Contain common words or terms, even if the spelling is slightly altered (example: H0spital1234 or Nur$e1234).
    • Use common phrases, famous quotations, and song lyrics (e.g., 2BeOrNot2Be?).
    • Contain personal information, such as first, middle, or last names; pets’ names; street names; Social Security numbers; etc. (example: JaneDoe1975).
    • Are overly simplistic or easily guessed (example: PassWord1234).
    • Use adjacent keyboard combinations (example: qwerty1234).
    • Contain pop culture references (example: $tarWar$2021).
    • Use information found on social media sites (example: @JaneDoeTweets).
  • Avoid systems that use password hints or knowledge-based authentication (KBA) as a method of password recovery. Evidence suggests hints often are weak password forms (example: favorite science fiction movie), and KBA selections can be easily guessed or researched (example: mother’s maiden name).
  • Advise staff to not write down passwords as a method of remembering them, even if they think they are concealed.
  • As part of security policies, prohibit staff from sharing passwords with other personnel or letting others use a system or network while they are logged in.
  • Recommend that staff do not use the same password for multiple systems and personal/professional accounts.

Although no strategy can guarantee complete protection, following best practices for password security and avoiding known password weaknesses can improve your organization’s ability to defend against cyberattacks and data breaches.

Cybersecurity is an issue that will continue to evolve and present challenges in healthcare. As hackers hone their password-cracking skills with emerging tools and technologies, implementing emerging best practices for password security will be an essential part of healthcare organizations’ security protocols and staff education priorities.

Unfortunately, even the most sophisticated security technologies can be futile if the people using networks, devices, and systems lack awareness of, or are noncompliant with, security protocols. A proactive approach to keep current with cybersecurity issues, identify potential gaps and vulnerabilities, and educate and engage staff in security initiatives will help healthcare organizations build and maintain robust security cultures.


1 Davis, J. (2020, September 2). Healthcare’s password problem and the need for management, vaults. Health IT Security. Retrieved from https://healthitsecurity.com/news/healthcares-password-problem-and-the-need-for-management-vaults

2 Cybersecurity & Infrastructure Security Agency. (2020, January 21). Security tip (ST05-012): Supplementing passwords. Retrieved from https://us-cert.cisa.gov/ncas/tips/ST05-012; Davis, J., Healthcare’s password problem; HIPAA Journal. (2021, March 9). The HIPAA password requirements and the best way to comply with them. Retrieved from www.hipaajournal.com/hipaa-password-requirements/; Office of the National Coordinator for Health Information Technology. (2015, January). Top 10 tips for cybersecurity in healthcare. U.S. Department of Health and Human Services. Retrieved from www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf; Office of the National Coordinator for Health Information Technology. (2010, November). Cybersecurity: 10 best practices for the small healthcare environment. U.S. Department of Health and Human Services. Retrieved from www.healthit.gov/sites/default/files/basic-security-for-the-small-healthcare-practice-checklists.pdf; Venditto, G. (2015, October). Best practices for password security. Healthcare IT News. Retrieved from www.healthcareitnews.com/news/best-practices-password-security; National Institute of Standards and Technology. (2017, June). Digital identity guidelines (NIST Special Publication 800-63-3). Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf

3 Strawbridge, G. (2021, March 2). Password policy best practices 2021. MetaCompliance. Retrieved from www.metacompliance.com/blog/password-policy-best-practices-2021/; Microsoft. (2021, July 12). Password policy recommendations. Retrieved from https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide

MedPro Twitter


View more on Twitter